Basic Information:

Version Specific Information:

Cucumber 1.0 i686

fixed in cpio-2.12-i686-2

Cucumber 1.0 x86_64

fixed in cpio-2.12-x86_64-2

Cucumber 1.1 i686

fixed in cpio-2.12-i686-2

Cucumber 1.1 x86_64

fixed in cpio-2.12-x86_64-2

Details:

=================================== Overview ===================================
It was found that the cpio --no-absolute-filenames option since version 2.7 did
not verify paths during extraction. A specially crafted cpio archive could
bypass this option and write to an arbitrary location, outside of the
extraction directory.
================================ Initial Report ================================
From https://lists.gnu.org/archive/html/bug-cpio/2017-06/msg00001.html:
Hi,
Looking at cpio, i found what seems to be a way to bypass the
--no-absolute-filenames option, which supposedly prevents data to be written
outside of the current folder.
One just need to create a cpio archive that contains a symlink to the required
destination, then a file that appears to be from inside the symlink (this
requires a specially crafted cpio archive) :
1) there is no file called /tmp/blah
address@hidden testings]$ ll
total 4
-rw-rw-r--. 1 cedric cedric 384 Jun 4 22:34 link.cpio
address@hidden testings]$ ll /tmp/blah
ls: cannot access '/tmp/blah': No such file or directory
2) I extract the specially crafted cpio
address@hidden testings]$ cpio -idv --no-absolute-filenames < link.cpio
link
link/blah
1 block
3) there is a file /tmp/blah
address@hidden testings]$ ll
total 4
lrwxrwxrwx. 1 cedric cedric 5 Jun 4 22:21 link -> /tmp/
-rw-rw-r--. 1 cedric cedric 384 Jun 4 22:15 link.cpio
address@hidden testings]$ ll /tmp/blah
-rw-rw-r--. 1 cedric cedric 3 Jun 4 22:21 /tmp/blah
The very naive patch attached makes use of safer_name_suffix() to sanitize
symlink's value.
Thanks!
--
Cedric Buissart,
Product Security
================================= Our Analysis =================================
----- Affected Products -----
All versions of cpio since 2.7 that have not had the patch from
https://lists.gnu.org/archive/html/bug-cpio/2017-06/txt8lVereD0rk.txt applied
are vulnerable to this vulnerability. This includes cpio as originally packaged
in Cucumber Linux.
----- Scope and Impact of this Vulnerability -----
This vulnerability allows an attacker to overwrite an arbitrary file on the
target user's filesystem when the target user extracts a specially crafted cpio
archive.
----- Fix for this Vulnerability -----
This vulnerability can be fixed by applying the patch from
https://lists.gnu.org/archive/html/bug-cpio/2017-06/txt8lVereD0rk.txt.
================================= Our Solution =================================
We have applied the aforementioned patch and rebuilt.